Simplified anonymity mining

Imagine an anonymity set that doesn’t have a fixed deposit/withdrawal size. Instead the size is determined by the following algorithm:

Let n be the number of unclaimed notes in the set and x be the total amount of ETH that is currently deposited. If n is 0, the deposit must be some fixed value. Otherwise the deposit must be exactly x/n. Every withdrawal is only f * x/n (where f is a factor close to 1, like 0.995).

Over time each deposit gets worth more and more (because the fraction x/n grows). It never reduces in value (except initially by the factor f). This means that people are encouraged to deposit to the anonymity set and keep the deposit. The growth is paid by those, who withdraw their deposit before it reaches its original value. No third party is involved. Full anonymity is preserved.

A drawback is that from time to time a new anonymity set with lower deposit size must be created. Maybe a single contract could handle multiple anonymity sets and create them dynamically.

This is just a thought that I had about anonymity mining. What do you think of it?

At a first glance, this really seems like a good way to convert a reputable project with an actual use case to a short term ponzi whilst adding unnecessary layers of complexity in the process.
Furthermore, offering wider breadth of possible deposit amounts tarnishes anonimity.

As I’ve said, this was just a thought. I don’t think that it is immediately feasible.

But I do not think that it is a ponzi scheme. In this proposal those who want a quick withdrawal pay a small amount (that is limited by f) to those that keep their deposit in the pool for longer. If everyone keeps their deposit in the pool for approximately the same time, the difference between deposit and withdrawal converges to zero for everyone.

So it is the same as if everyone pays a small fee on deposit. On withdrawal one receives a part of the fees that is proportional to the time the deposit was in the pool.

And regarding the widening of the deposit pools: I totally agree! But I think the impact is limited. I think the growth of the deposit size would be limited to the interest rate that you can get in other projects (otherwise more people would deposit their tokens here, which slows down the growth).

Lets just as an example say the yearly deposit growth is about 5%. If there should be a pool that has a deposit size between 1 and 2 ETH, it must be replaced only every 15 years. The old pool can be phased out. I think that could be manageable.

I apologize if I came across as rude - I think original ideas like yours are the fuel of any community and project and their expression should be welcomed, just have concerns over non-fixed incoming/outgoing amounts jeopardizing anonimity, which is the quintessential element this protocol exists for.

I do like the core rationale around rewarding late withdrawals at the expenses of early withdrawals as prolongued deposit time make for more robust anonimity, but we somewhat have this already in place with the AP system.

Don’t worry, I think it’s important to discuss such concerns.

Yes, this is intended to do exactly the same as the AP system does. I think it has pros and cons. On the plus side there is a little bit less complexity because it doesn’t involve additional tokens, proofs and one doesn’t need to claim the rewards explicitly. On the negative side there is the not so nice deposit size and the regular replacement of pools. I don’t know what’s better, but I wanted to throw this variant into the room too.

It should not affect anonymity. At any point in time the deposit/withdrawal amount per note is the same for everyone. The amounts are in no way dependent on a specific note. Assuming everything else is the same, same number of pools and so on.

The amount withdrawn being related (thus potentially subjected to procedural backward calculation / guesstimation) to the time spent in the pool would make it trivial to develop software able to map transactions correlations to the point of linking your and other users’ deposit and withdrawals addresses.

Hm sorry, I don’t understand yet.

Let’s say:

• A deposits 1 ETH
• More deposits/withdrawals, making the deposit size change to 1.1 ETH.
• B deposits 1.1 ETH
• …
• C deposits 1.2 ETH
• …
• D deposits 1.3 ETH
• …
• Someone withdraws 1.4 ETH.

This someone could be A, B, C, D or anyone in between. Any of them would withdraw 1.4 ETH at this point in time. Do I overlook something?

There is another way to think about this algorithm. Image there is a token that is backed by ETH. Let’s say it is currently backed by x ETH and there are n tokens. At any time you can mint this token by paying x/n ETH or destroy a token and receive f * x/n ETH. Very similar to deposit and withdrawal above.

If there is an anonymity pool, that has exactly the same properties as the current pools, but it accepts this token. Then swapping ETH to this token, anonymizing it and swapping it back to ETH does exactly what the algorithm that I described before does. The only difference is that previously, the swapping was integrated directly into deposit and withdrawal.

Thinking about it in this way, means that it can actually be combined with what I described here Flexible Tornado Cash Deposits - #3 by Forded. That would solve the ever increasing deposit and withdrawal sizes, because they can be changed at any time. For example it could be halved every time it doubles. The only implication would be that users, that deposited before the halving, now must do two withdrawals instead of one. If they make them to the same wallet, they reveal that they deposited before the halving but nothing more.

I now think that this approach to anonymity mining has a big flaw.

While I do think that this algorithm works and increases the number of deposits in the pool, I’m not sure if it increases the actual anonymity set.

The reason is, that there is no incentive for an anonymity miner to keep deposit and withdrawal unconnected. In the worst case everyone that deposits to the pool for interest, withdraws to the same wallet that he has deposited with. That makes it trivial to remove those deposits from the anonymity set.

I don’t know what percentage of such deposits/withdrawals would be easily connectable, therefore I don’t know if something like this makes sense.

Isn’t that also a problem with AP mining right now?

As far as I can see yes. Maybe the problem is a little bit dampened currently, because you earn TORN instead of ETH directly. Hard to tell I think.

You could at any time calculate an instant withdraw->ETH rate, assumed an atomic withdraw->AP->TORN->ETH existed.

It doesn’t, but everybody can implement one independently of the protocol. In other words, because you can immediately sell your TORN after withdrawal, there is no incentive to make it grow.

A miner who deposits and withdraws from the same address really made a zippo contribution to the anonymity pool, because the pool can be treated as if his deposit/withdrawal never existed. It doesn’t matter how long his deposit was in. And he is rewarded for adding anonymity, but he only added a false sense of anonymity. This seems flawed.

I’m curious if devs thought about this. Probably its somehow caught by the AP/TORN rate which reduces the amount of returners. Still they could all do these flawed withdrawals.

Otherwise it might be sensible to freeze AP redeemed TORN for a while.

I agree, that’s why I said maybe currently a little bit dampened but in principle it has the same problem.

I don’t think this is necessary. Adding false anonymity to the pool doesn’t hurt necessarily, as long as users are aware of it. A malicious actor could add false anonymity anyway, so this should always be considered.

In fact I think that anonymity mining (this or the AP mining) is still a good thing (at least the best we have currently) and can add some anonymity. Reason is that probably some percentage of miner deposits/withdrawals are hard to connect. One just has to keep in mind that the actual anonymity added is probably much less then the number of deposits.

There is no way to prevent this behavior. So the hope is that even if some percentage of miners preserve their anonymity it’s good for the pool. Withdrawing while preserving anonymity costs the same as withdrawing to original address, so many miners might decide to get anon addresses since it’s free.